XSS via upload pdf file in usememos/memos
Jan 3rd 2023
Hi there, It's my pleasure to submit a report to you again to maintain the safety of the project.Most users can upload files in the module named 'Resources' .We can upload pdf files.But uploading malicious pdf files will cause xss vulnerability which will cause great harm to users of the website.
You can click the following link to download the malicious pdf file I provided.pdf_file link.You can also search for more dangerous pdf files on the Internet or make it yourself.And for details you can click my video link below to watch.
If anyone views this pdf file then it will be attacked.
You can also refer to the following link to view the vulnerability information related to the pdf file
(1) To steal the administrator account or cookie, the intruder can log in to the background as an administrator. It enables intruders to manipulate background data maliciously, including reading, changing, adding and deleting some information.
(2) Stealing users' personal information or login accounts will pose a huge threat to the user security of the website. For example, pretend to be a user for various operations.
(3) The website hangs horses. First, embed the malicious attack code into the Web application. When the user browses the hanging horse page, the user's computer will be implanted with a Trojan horse.
(4) Send advertisements or spam messages. Attackers can use XSS vulnerabilities to plant advertisements or send spam, seriously affecting